What is 'metadata' and should you worry if yours is stored by law?

Ben Grubb and James Massola

The Abbott government has indicated its support for a controversial "data retention" regime, which would require internet and telephone providers by law to store every single subscriber's "metadata" for a period of up to two years for access without a warrant by law-enforcement agencies.

What is metadata? Should Australians be concerned that it's going to be retained for law-enforcement purposes if passed in Parliament? Is it true it can be accessed now without a warrant? And what is already possible? We answer these questions and more.

According to this definition, metadata is not what you type on a device or say over the phone, but rather the footprint that's left behind. For instance, when you use a phone or mobile, this includes the number called, the location from which the call is made, and the duration of the call.

Advertisement

When you're surfing the internet, the definition of what constitutes metadata gets murky.

On Wednesday morning, Prime Minister Tony Abbott told the Nine Network's Today show that metadata included "the sites you're visiting". His office later clarified that it did not include this.

"The government requires a lawful warrant to look at Australians' web-browsing history. This is not metadata, it’s content," his office said.

Metadata is widely understood by government officials to include the following :

Telephone numbers The time and length of phone calls The internet protocol addresses (IP addresses) of computers from which messages are received or sent Location of parties making phone calls To and from email addresses on emails Logs of visitors to chat rooms online Status of chat sites – whether they are active and how many people are participating Chat aliases or identifiers (the name a person uses in a chat room online) Start and finish times of internet sessions The location of an individual involved in communications The name of the application someone uses online and when, where and for how long used

Metadata is not:

The content of a communication such as a phone call or an email The subject line of an email The content of the discussion in a chat room online (what is said) The content of a mobile phone text message (SMS) Attachments to emails such as photos or videos Web camera transmissions Websites a person visits (i.e. browsing histories) The name of a website a person visits The substance of a person's social media posts

2. Why is there no legal definition for metadata in Australia?

One of the main reasons metadata hasn't been defined in legislation is that law enforcement agencies do not want to restrict what they have access to as technology rapidly changes.

It is unlikely that there will be a legal definition of metadata in the proposed legislation.

3. Who has access to your metadata now?

What many people don't realise is that, already, a number of Australian law-enforcement agencies are now able to access your metadata without a warrant if telcos - such as Telstra, Optus and Vodafone - retain it, which under current legislation they are not required to.

Agencies that can access, and have accessed, the metadata as defined by the Attorney-General's Department include federal, state and territory police, Medicare, Bankstown Council in NSW, Worksafe Victoria, the RSPCA, the Tax Office, Australia Post, domestic spy agency ASIO, ASIC and many others when conducting criminal and financial investigations.

4. How many times do these agencies access metadata?

Agencies accessed metadata 330,640 times in 2012-13 - an 11 per cent increase in a year and a jump of 31 per cent over two years.

However, it is unclear whether the 330,000 figure is a true representation of the number of Australian citizens who had their metadata accessed as the Attorney-General's Department is yet to clarify whether one request can include access to multiple peoples' metadata.

Further, ASIO is not included in the figures as it is exempt from having to report the number of requests it makes.

5 Is there potential for misuse?

There are many uncontroversial reasons to access metadata including allowing police to solve crimes by, for example, using mobile phone data to pinpoint the location of a suspect.

Meanwhile, officials at Queensland Police began accessing the private metadata of cadets last July to determine whether they were sleeping with one another or faking sick days. This access was labelled by the state's police union as "disturbing" and "potentially unlawful".

Greens Party senator Scott Ludlam has argued that warrants should be required for access, but law-enforcement agencies have said that this would clog up the courts.

In 2012, Victoria's then acting Privacy Commissioner Anthony Bendall dubbed data retention as "characteristic of a police state", arguing "it is premised on the assumption that all citizens should be monitored".

Abbott's recently apointed Human Rights Commisioner Tim Wilson said that he did not support data retention.

"I don't support the idea of data retention at all but I do realise that there are ways that it can be more or less infringing on peoples' right to privacy. That's not really in dispute," he said.

When in opposition, Communications Minister Malcolm Turnbull also criticised the thought of a data retention regime in Australia, saying: "Now this data retention proposal is only the latest effort by the Gillard government to restrain freedom of speech."

6. Why are law enforcement and the government pushing for new laws?

The Attorney-General's Department says that anecdotal reporting from law-enforcement agencies suggests that, increasingly, their requests for metadata from internet and phone providers are not being met as carriers are no longer retaining the data requested.

Traditionally, some telcos have kept the data for analytics and billing purposes. But they say they are beginning to delete it as it takes up a lot of storage space, which can be costly if it's not needed. One of Australia's largest internet providers, iiNet Group, has said that if it was required to bear the costs of a data retention regime then customer internet bills could go up by $10 a month.

7. Is there an international precedent for these laws?

In April, a similar data retention scheme in the European Union was ruled "invalid" by the Court of Justice in response to a case brought by Digital Rights Ireland against the Irish authorities and others.

Soon after, notwithstanding the ruling, Britain rushed through its own new "emergency" laws that made it mandatory again.

8. Will internet and phone providers be required to store metadata by law?

Yes. If the proposed laws pass, companies such as iiNet, Optus, Telstra and others would need to retain your metadata. In the past, a time period of two years has been suggested for how long it should be stored.

9. When is the government planning to legislate?

Attorney-General George Brandis said on Tuesday that laws to make data retention mandatory would be introduced into Parliament later this year and that the question of who would pay was yet to be decided.